896012 – (CVE-2014-3595) VUL-0: CVE-2014-3595: spacewalk-java: Satellite: Spacewalk contains multiple XSS

Bug 896012 (CVE-2014-3595) - VUL-0: CVE-2014-3595: spacewalk-java: Satellite: Spacewalk contains multiple XSS

Summary: VUL-0: CVE-2014-3595: spacewalk-java: Satellite: Spacewalk contains multiple XSS

Status:	RESOLVED FIXED

Alias:	CVE-2014-3595

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2014-11-19
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/105972/
Whiteboard:	maint:released:sle11-sp3:58908 maint...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-09-10 12:14 UTC by Marcus Meissner
Modified:	2022-01-22 14:55 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-10 12:14:33 UTC

via redhat

Multiple XSS flaws within Satellite 5.6 were reported by Ron Bowes of Google.

The issues is viewing tomcat logfiles without escaping.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1129821
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3595

Comment 2 Marcus Meissner 2014-09-10 12:19:12 UTC

SUSE:SLE-11-SP3:Update:Products:Test/spacewalk-java/spacewalk-java-git-0.958eaf1

./code/src/com/redhat/rhn/frontend/action/satellite/CatalinaAction.java

needs it...

Comment 3 Marcus Meissner 2014-09-10 12:22:15 UTC

do you plan a spacewalk-java update soon? we might even need our own if this accessible

Comment 5 Swamp Workflow Management 2014-09-10 12:41:26 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-09-17.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58906

Comment 6 SMASH SMASH 2014-09-10 12:45:15 UTC

Affected packages:

SLE-11-SP1-MANAGER: spacewalk-java
SLE-11-SP2-PRODUCTS: spacewalk-java
SLE-11-SP3: spacewalk-java
SLE-11-SP3-PRODUCTS: spacewalk-java
SLE-11-SP3-UPTU: spacewalk-java

Comment 11 Swamp Workflow Management 2014-09-10 22:00:26 UTC

bugbot adjusting priority

Comment 13 Swamp Workflow Management 2014-10-31 17:05:20 UTC

SUSE-SU-2014:1339-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 896012,902182
CVE References: CVE-2014-3595,CVE-2014-3654
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    spacewalk-java-1.7.54.33-0.5.1

Comment 14 Swamp Workflow Management 2014-11-05 20:42:16 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-19.
https://swamp.suse.de/webswamp/wf/59584

Comment 15 Johannes Segitz 2015-03-25 13:34:40 UTC

all updates released896012